"The project took a single person less than a day to complete, including
constructing the database structure from scratch...."

- Richard Murray of Hillside Software Publishing Ltd.

ISO 27001 Compliance, 2nd Person

Hillside Software
Glasgow, Scotland

2ndPerson records and tracks information security risks affecting our information assets.
It helps the organization comply with the requirements of the ISO 27001:2005 standard for
information security management. The application name "2ndPerson" relates to the 'segregation
of duties' as a security control. For critical business processes, a "second person" is often
used so a single person does not have complete control over, for example, large financial
transactions. Segregation of duties can help ensure that mistakes are detected and the
potential for deliberate fraud is reduced.

Hillside Software is formally certified as meeting the BS 7799-2:2002 standard from which
the new ISO 27001 standard has been derived. We plan to upgrade our certification to new
international standard by the time Bureau Veritas, our certification body, next visits.

Every business needs to take the security of its own, and its customers', information
and IT assets seriously. This is especially important with the very real threats posed
by the increased use of online systems and the Internet. Our certification to the BS7799
standard demonstrates that we have a structured approach to identifying and evaluating
the information security risks affecting our business. It also shows we implement
effective controls. The controls include use of virus detection software, encryption,
backups, firewalls, and a range of policies and working practices aimed at ensuring our
information and IT assets are available when needed — intact, and only accessed by those
who are authorized to do so.

ISO certification means that our customers and partners have increased confidence in
our information security management arrangements. Finally, it shows that "we practice
what we preach", which is important, since a subset of our training courses portfolio
focuses on IT security topics.

Application size and scope

The application uses a single Microsoft Access database containing 18 tables.
The biggest table, which is the set of standard information security controls,
contains 203 records. There are nine main Web pages and 11 Web pages for maintaining
look-up data.

The project

The project took a single person less than a day to complete, including constructing
the database structure from scratch. No special code extensions were created and no
third-party components were added. A minimum of programming was involved.

Code extensions and customizations

No special code extensions were created and no third party components were added. A minimum
of programming was involved.

Page layout customizations

We used the standard Iron Speed Designer design theme, 'Sinai'.

Metrics for success

The key objective was to enable our risk management data to be viewed and updated on the
intranet by all relevant employees and contract staff. This objective was achieved.

Iron Speed Designer impact

Without Iron Speed Designer, the project would have been feasible but would have taken at
least six times as long.

Next steps

The next step is to add automation to remind users when re-evaluations
of risks are due. We are also thinking of providing a free copy of the
tool to delegates at one of the information security courses that we offer.
We also need some role-based security changes to bring the application up
to the level expected by delegates.

About the developer

Richard Murray has more than 25 years experience as a software engineer,
project manager and consultant. He works mainly with high integrity and
safety-related information systems in the energy, defense and aerospace
sectors. Richard is an Honours Graduate from the University of Glasgow,
Scotland, and is a Fellow of both the British Computer Society and the
Institute of Quality Assurance. He is well-known within the Scottish
software community for his LOW-PAPER DIET approach to helping software
developers comply with the ISO 9001 standard for quality management.